Strolling through a data privacy minefield

Cloud, Big Data, the Internet of Things are among the hottest topics that vendors are driving in 2015, but there are five legal developments in each that are worth tracking.

1. Microsoft and US government go to court

Again, Microsoft is resisting attempts by the US government to get access to the user data it is holding outside the US. Microsoft has been storing user data geographically closer to said user, as this not only reduces lag (improving the user experience) but, in theory at least, reduces the ability of governments to get access to that data.

The revelations by Edward Snowden of wide-scale access by the US government to data under the NSA’s Prism programme - particularly to data of non-US nationals - have given rise to a new global tension in the cloud sector.

While everyone suspected the US government was accessing data, few knew the scale. This has put the spotlight on US cloud providers. If customers believe the US government can access their data because it is held by a US provider, the fear is they will move to cloud without a US angle, meaning the government is potentially damaging the growth of its own cloud industry.

Microsoft is taking a stand. The New York District Court ruled in the US government’s favour allowing it to rely upon the Stored Communications Act to get access to personal data that Microsoft had stored in Dublin. The company has yet to comply with the order running the risk that it will be held in contempt of court, leading to fines.

The latest salvo in this battle of the cloud came in December 2014, when Microsoft’s General Counsel published a list of companies and organisations who had filed “friend of the court” briefs supporting Microsoft’s position. This is an impressive list including technology companies such as Amazon, Apple, Cisco, eBay, HP, Rackspace, Salesforce and Verizon. It also includes 17 major news and media companies such as CNN, ABC, Fox News, Forbes and The Guardian.

This year is likely to be when we finally get resolution, one way or another. At stake is potentially the entire non-USA cloud business of US cloud providers.

While everyone suspected the US was accessing data, few knew the scale. The fear is customers will move to cloud without a US angle, meaning the US government is possibly damaging its own cloud industry

2. Internet of Things will cause privacy concerns

We are all used to making some form of compromise over access to information about our private lives as the cost of living in modern society. For example, we accept surveillance via proliferated CCTV, analysis of our spending habits via store loyalty cards, or the tracking of our movements and data on our smart phones. The Internet of Things expands this on a grand scale. Gartner forecasts there will be nearly five billion connected devices by the end of this year, and 25bn in 2020.

IoT massively increases the opportunity for hackers to get access to our personal data. This prompted the Chair of the US Federal Trade Commission to air her concerns at CES 2015.

The answer, not surprisingly, is for manufacturers of IoT devices to take data security into account early on and to limit data to that which is actually necessary for the use of the device.

This is not new ground. The European data protection laws have long tried to control the flow of personal data. Data security is all about the steps you take to protect the data.

What is interesting is that this is a prominent figure in the US raising privacy concerns. Expect the US and the EU to toughen their stance on privacy issues, in part because of IoT.

3. Massive data security fines get closer

Every month there seems to be another story of data leaks or hacking. Or both. Aside from damage to reputation, it is sometimes cheaper for a business to suffer a data breach than to introduce properly secure systems. But with new, increased data breach fines jumping to up to €100m (or five per cent of global turnover under the new EU Data Protection Regulation) data security is likely to jump up the priority list for budget expenditure.

There will be other changes too, for example, organisations will need to appoint a data protection officer, they will need to actually notify the authorities where there has been a data security breach notification. And of course, there is the infamous “right to be forgotten”.

Recent surveys have shown that, other than this new right to be forgotten, businesses are not aware of, or not prepared for, the new law. The new President of the European Commission, Jean-Claude Juncker, gave June 2015 as the deadline to conclude negotiations for the regulation, as well as the review of the Safe Harbour arrangement with the US.

But progress is slow, with a Euro MP recently complaining that the UK, France and Germany are holding up proceedings.

The so-called ‘right to be forgotten’ regulation is not the answer to Prism but it is an attempt to update EU data protection laws for modern uses of data. While it seems unlikely the new regulation will actually become law in 2015, we can expect it to start taking final form

The regulation is not the answer to Prism but it is an attempt to update EU data protection laws for modern uses of data particularly in relation to mobile, cloud, Big Data and the IoT. While it seems unlikely the new regulation will actually become law in 2015, we can expect it to start taking final form.

Even if the UK votes to leave the EU following the general election later this year, we will still be subject to the regulation if we are to continue trading with the remaining EU members. So, 2015 is a good year to get your data security house in order.